Keyboard with China flag key (Getty images)
WASHINGTON — Officials from the National Security Agency and the State Department said they’re still struggling to come up with a way to deter a powerful hacking group allegedly backed by the Chinese government and accused of slipping into US critical infrastructure networks.
When asked how the US plans to deter the group dubbed Volt Typhoon from future attacks, David Frederick, assistant deputy director for China at NSA replied, “I don’t have a good answer to that.”
“They are trying to position themselves to have an asymmetric advantage in a crisis or conflict. If you look at the cost-benefit from their point of view and just the breadth of targets in the United States and our allies in terms of global networks, they’re not going to be motivated to stop,” Frederick said at an Intelligence and National Security Summit this week. “So that’s a hard problem — how do we get them, sort of thing.”
“It’s a tough subject,” he later added.
When Liesyl Franz, deputy assistant secretary for international cyberspace security at the State Department’s bureau of Cyberspace and Digital Policy, was asked the same question, she responded similarly.
“I don’t know the answer to that question either, but there are many key parts we’re trying to get at,” she said Wednesday.
Franz said the State Department has “increased the drum beat” of deterrence tactics, like public attribution — part of a government-wide name-and-shame strategy.
“You know, once there has been adequate technical attribution and adequate confidence that we can make a public attribution, we do so in order to call out those state actors and hold them accountable,” she later added. But it’s not slowing the group down much, Franz acknowledged.
Senior US officials have attempted to directly tell China to knock it off, as US ambassador at large for cyberspace Nathaniel Fick related to reporters in May. But, he said, Beijing maintains the accusations are unfounded and said it’s all a “ploy” by the US government “to get more budget dollars.”
Volt Typhoon, which the US government says is “sponsored” by the Chinese government, has been accused of invading thousands of devices worldwide since it was discovered in 2021, Recorded reported. But the group gained more attention in May 2023 when it was more publicly outed by Microsoft security analysts.
On the same day Microsoft announced the existence of Volt Typhoon, the NSA and other national and allied agencies issued a warning about China state-sponsored cyber actors using built-in network devices to target US critical infrastructure, including in Guam.
Related: Chinese ‘Volt Typhoon’ hack underlines shift in Beijing’s targets, skills
At the beginning of this year, the FBI and other federal agencies announced that Volt Typhoon compromised the IT environments of multiple critical infrastructure providers in the US and warned that the organization was working to infiltrate other infrastructure providers to wreak havoc if there was US military escalation in the Indo-Pacific region.
Frederick said that unlike cyber espionage campaigns, stealing information is not Volt Typhoon’s goal.
“I think looking at kind of strategic context on why China’s conducting these operations is really important. Xi Jinping really sees the US as a block to his goals for national rejuvenation and growth,” Frederick said. “They have been determined to build a military capability that will enable China to deter the United States from getting involved in conflict in the Pacific, especially with Taiwan.”
He said China is “very focused on building a whole suite of capabilities to deter and defeat the United States, and so Volt Typhoon, these operations that target infrastructure, there really is no kind of reasonable explanation besides pre-positioning. […] It’s really part of a broader military strategy.”
As recent as the beginning of this week, Volt Typhoon was accused by cybersecurity researchers of exploiting a zero-day vulnerability in the network management platform Versa Director in an attempt to try to infiltrate tech companies and internet providers, including some in the US. Volt Typhoon reportedly found a flaw in the Versa Director, which it used to capture credentials and perform harmful code on the compromised servers without detection. Versa has since announced that it had fixed the security flaw in its system.
